91 8000 311 91 8000 311 Internal Auditing

+91 8000 311

+91 8000 311

Internal Auditing

Internal Auditing

The IIA defines internal auditing as: Internal Auditing “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. ” Internal auditing provides a mechanism for management to monitor the reliability of financial reporting and the company’s control over operations.

Internal auditing services fall into three fundamental categories: Internal Audit Responsibility Types 1. Operational – reviewing the various functions within the organization in order to appraise the efficiency and economy of operations and the effectiveness with which the functions achieve their objectives. 2. Financial – reviewing the economic activity of the organization as it is measured and reported by accounting methods. 3. Compliance – reviewing both financial and operating controls and transactions to determine whether they conform to laws, standards, regulations and procedures.

The responsibility of the internal audit function is to review and appraise policies, procedures, plans and records for the purpose of informing and advising management. Internal Audit Responsibility Perhaps more important is what internal audit is not responsible for. Internal audit is not responsible for and has no authority over operating activities. Internal audit makes no decisions about what should be done – they provide information and advice, and then management makes a decision. Internal audit may help with implementation, but management makes the decision.

The internal auditors are not responsible for the internal control system (management is responsible for that). Internal Auditors The internal auditor’s function is to test, examine, review, evaluate and make recommendations about the internal control system. In this way, internal auditing assists management in carrying out its monitoring responsibilities.

The internal audit function should report to the board of directors through the audit committee. Internal Audit Functions The internal auditors need to be perceived as an important part of the company in order to be able to do their job effectively. People in the company need to know that the board will listen to what the auditors say and therefore the conclusions of the auditor are important. By reporting to a high level the function has organizational independence. This means that they do not have any direct relationships with who they are auditing. The people they are auditing cannot tell them what to do or fire them.

External auditors are focused on one thing – the opinion about the financial statements. Internal Audit Functions External auditors are not concerned about the efficiency or effectiveness of operations, just that the financial statements reflect fairly the operations of the company. Internal auditors have a wider range of interests and engagements. They compare “what is” in the company with “what should be” and report to management their findings. In addition to their findings, the internal auditor develops and reports recommendations for improvement.

Internal Auditors Support to External Auditors Some of the work of the internal auditors may be relevant to and used by the external auditor. Before using the work of the internal auditors, however, the external auditor must assess the internal auditors’ Competence (how well they do their job), and Objectivity (their organizational independence, or their role within the organization)

If the external auditor decides to use some of the work of the internal auditor, Internal Auditors Support to External Auditors The external auditor will supervise, manage and review all of the work done by the internal auditors. The internal auditors will not assess risk. The internal auditors will not draw any conclusions. The internal auditor will be more likely to be used in areas that are objective (existence of fixed assets) than subjective (valuation of future cash flows).

+91 8000 311

+91 8000 311

Internal Auditing Session 2

Internal auditors perform two basic types of services: Internal Auditors Services 1. Assurance services: performing an objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control process for the organization. 2. Consulting services: advisory and other related client service activities. They are usually performed at the request of the client, and their nature ands scope are agreed upon with the client. They are intended to add value and improve an organization's governance, risk management and control processes.

Internal Auditors Services Assurance services include: 1. Financial audit: analyze the economic activity as measured and reported by accounting methods. The goal is to determine whether financial assertions can be proven: 2. Existence or occurrence Completeness Rights and obligations Valuation or allocation Presentation and disclosure Performance (or operational) audit: it focuses on the efficiency, effectiveness, and economy of the company´s internal control system based upon the company standards.

Assurance services include (cont´d): 3. Audit of financial controls: involves examining two aspects of financial internal controls: Internal Auditors Services 4. 5. 6. Controls over financial resources Controls over the accounting for financial resources Compliance audit: performed in order to determine whether an organization is operating in an orderly way, effectively and visibly confirming to certain specific requirements of its polices, procedures, or standards System security audit: auditing the controls in place for information systems. Due Diligence engagement: to confirm company records, both financial and those of property ownership

• Internal Auditors Services • Examples of consulting services include: 1. Quality audit: evaluating the quality of the product or service being provided 2. Special engagements: an example of a special engagement is a fraud audit. Fraud audits are performed for the purpose of discovering the presence, scope and means of either misappropriation of assets or fraudulent reporting. Consulting services are intended to add value and improve an organization´s activities in a specific area without assuming management responsibility.

• Internal Auditors Services Per Internal Auditing Standard No. 2120 the internal auditor should following the following standard during a consulting engagement: address risk consistent with the engagement’s objectives and be alert to the existence of other significant risks. incorporate knowledge of risks gained from consulting engagements into their evaluation of the organization’s risk management processes. When assisting management in establishing or improving risk management processes, internal auditors must refrain from assuming any management responsibility by actually managing risks.

The beginning of the audit process is to determine which engagements to conduct. Internal Auditors Services The chief audit executive makes the decisions regarding which engagements to perform based upon risk based factors such as: Length of time since last audit was performed in this area Requests from senior management Relation of the proposed engagement to the external audits of financial statements and internal controls Changing circumstances in the business, operations, systems or controls Potential benefit that could be achieved by the engagement

According to Internal Auditing Standard 2201, the internal auditor considers the following in planning the engagement: Internal Auditors Services The objectives of the activity being reviewed and the means by which the activity controls its performance; The significant risks to the activity, its objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level; The adequacy and effectiveness of the activity's risk management and control processes compared to a relevant control framework or model; The opportunities for making improvements to the activity's risk management and control processes.

When establishing an audit´s objectives, internal auditing standard 2210 states that the auditor must: Internal Auditors Services conduct a preliminary assessment of the risks relevant to the activity under review. consider the probability of significant errors, fraud, noncompliance, and other exposures Ensure that adequate criteria is available to evaluate controls. If they are adequately defined by management, internal auditors must use such criteria in their evaluation. If inadequate, internal auditors must work with management to develop appropriate evaluation criteria. Address governance, risk management, and control processes to the extent agreed upon with the client during consulting engagements.

Assessing audit risk is an important part of the audit process. Audit risk is the risk that the auditor will conclude that everything is working properly, when in fact, it is not working correctly. It is made up of three components: Internal Auditors Services Inherent risk (IR) – is the risk that exists in what is being audited. The risk of a problem in the absence of controls. Control risk (CR) – is the risk that a mistake is NOT prevented or detected by the internal control system Detection risk (DR) – is the risk that the mistake is NOT detected by the auditor The audit risk is calculated by multiplying these risks together: AR = IR × CR × DR

Control risk and detection risk operate inversely to each other. Internal Auditors Services If control risk decreases (the internal controls are better) the detection risk can be increased (auditors do less testing) and the audit risk will remain the same. If control risk increases (the internal controls are worse) the detection risk can be decreased (auditors do more testing) and the audit risk will remain the same. The auditor assesses inherent and control risk, but is able to influence only detection risk.

After the engagement objectives are determined and the inherent risks identified, the next step is the understanding of internal controls. Internal Auditors Services The auditor’s understanding needs to encompass the 5 components of internal control: the control environment, risk assessment, control activities, information and communication, and monitoring. The auditor will use this understanding to: Identify types of potential misstatements that may occur in whatever is being audited Consider factors related to risk of material misstatement Design the substantive tests to be performed

Internal control systems may be documented in a flowchart. Internal Auditors Services A systems flowchart (or horizontal flowchart) shows departments and functions across the top and documents manual and automated processes. Control points are identified. A program flowchart (or vertical flowchart) shows the steps in the process and how they will be executed. A data flow diagram is a graphic representation of the internal control system.

The audit program is written after the assessment of the relevant internal controls. Internal Auditors Services The program should include the objectives of the area to be audited and the controls in place to achieve the area’s objectives, which determine the audit objectives. It gives details on the procedures to be followed to reach the objectives of the audit: what is to be done and how it will be done. It must be written and must be detailed enough so that the auditors know what is to be done. It is used to supervise and review the work. Standardized audit programs may be used when appropriate.

The audit program is written after the assessment of the relevant internal controls. Internal Auditors Services The program should include the objectives of the area to be audited and the controls in place to achieve the area’s objectives, which determine the audit objectives. It gives details on the procedures to be followed to reach the objectives of the audit: what is to be done and how it will be done. It must be written and must be detailed enough so that the auditors know what is to be done. It is used to supervise and review the work. Standardized audit programs may be used when appropriate.

Evidence is what the auditor gathers to be able to support their conclusion. The evidence should be Internal Auditors Services Sufficient – there must be enough evidence Competent – it must be reliable and the best available Relevant – must be consistent with the objectives of the audit Useful – assists the organization to achieve its goals The most competent, or best source of evidence is something obtained by the auditor directly. Evidence from the client is the worst, and evidence from a third party is in the middle.

Audit evidence is classified according to legal rules of evidence. These include: Internal Auditors Services Direct – acquired directly by the party offering it Hearsay – secondhand account where the witness does not have personal direct knowledge Documentary – any original record, dead, or document Opinion – not generally considered useful evidence. Circumstantial – evidence that is consistent with a particular inference Secondary – not the original documentation Corroborative – supports other evidence Conclusive – it is indisputable is the worst, and evidence from a third party is in the middle.

Internal Auditors Services The Sarbanes-Oxley Act requires management to assess the adequacy of the company’s internal controls over financial reporting. Internal auditors can assist in this through an audit of financial controls A financial audit focuses on accounting controls. An operational audit focuses on administrative controls. Accounting controls are concerned with the integrity and accuracy of the accounting system and the financial reports being generated Administrative controls are more focused on managements' operating objectives.

Internal Auditors Services Accounting controls are intended to achieve the following characteristics for the financial records: Completeness: Are all of the transactions reflected in or captured by the accounting system? Validity: Are only valid transactions recorded? Authorization: Are all transactions properly authorized? Accuracy: Are reported numbers accurate representations of the economic transactions that have occurred?

An audit of controls has the following objectives: 1. 2. 3. Internal Auditors Services 4. 5. 6. 7. 8. determine if controls are in place determine if the existing controls are structurally sound determine if the controls are designed to achieve a specific management objective, to achieve compliance with predetermined requirements, or to ensure accuracy and propriety of transactions determine whether the controls are being used properly determine if the controls are efficiently serving their purpose determine whether the controls are effective determine if management is using the output of the control system Does the control system have the following required characteristics? Flexibility. Timeliness. Accountability. Cause identification. Appropriateness. Placement.

Internal Auditors Services Procedures the auditor performs to test operating effectiveness of controls include a mix of tests. Some types of tests produce greater evidence of the effectiveness of the controls than other tests. Here are the tests that an auditor might perform in order of the evidence they would usually produce, from the lowest quality evidence to the highest quality evidence: 1. 2. 3. 4. Inquiry of appropriate personnel; Observation; Inspection of relevant documentation; and Re-performance of a control

Internal Auditors Services If an auditor identifies a deficiency in a control over financial reporting, the auditor should evaluate the severity of the deficiency to determine whether the deficiency, either individually or in combination with other deficiencies, represents a material weakness. The severity depends upon: Whethere is a reasonable possibility that the company’s controls will fail to prevent or detect a misstatement of an account balance or disclosure; and The magnitude of the potential misstatement resulting from the deficiency or deficiencies.

Internal Auditors Services Risk factors affect whethere is a reasonable possibility that a deficiency or combination of deficiencies will result in a misstatement of an account balance or disclosure. These risk factors include: The nature of the financial statement accounts, disclosures, and assertions involved; The susceptibility of the related asset or liability to loss or fraud, or how likely it is that something could go wrong; The subjectivity, complexity, or extent of judgment required to determine the amount involved;

Internal Auditors Services Risk factors affect whethere is a reasonable possibility that a deficiency or combination of deficiencies will result in a misstatement of an account balance or disclosure. These risk factors include (cont´d): The interaction or relationship of the control with other controls, including if they are interdependent or redundant The interaction of the deficiencies, i. e. , if there is more than one, could they in combination cause a material misstatement The possible future consequences of the deficiency

Internal Auditors Services If multiple control deficiencies affect the same financial statement balance or disclosure, that increases the likelihood of misstatement and may, in combination, constitute a material weakness(though each deficiency individually may not be severe) Factors that affect the size of a misstatement that might result from a deficiency in controls include: The financial statement amounts or total of transactions exposed to the deficiency; and The volume of activity in the account balance or class of transactions exposed to the deficiency that has occurred in the current period or that is expected in future periods.

In a financial statement audit, the audit should be prepared so that any material misstatement is detected, no matter what the cause of the misstatement. Financial Audit The auditor is responsible for examining the controls to determine if they are adequate to prevent or detect fraud and must also have sufficient knowledge to be able to identify the indicators that fraud may have occurred. However, the deterrence of fraud is the responsibility of management, not the auditor.

It is preferable (and usually cheaper) to prevent fraud than it is to discover it after the fact. Financial Audit If the auditor detects control weaknesses, additional tests should be performed to identify other factors of fraud that may be present. When fraud is detected, the auditor should immediately report it to the appropriate level of management.

There are three main classifications of fraud: Financial Audit Misstatements from fraudulent financial reporting, Misappropriation (theft) of company assets. Corruption (bribes, conflicts of interest). In the misappropriation of assets, the employee is more likely to be ‘living beyond their means’ because they have more money than their salary as a result of theft.

The following items do not indicate that fraud is occurring, but rather that conditions exist in which fraud may occur more easily. Financial Audit No segregation of duties; Lack of controls such as limiting access to assets, comparing existing assets with recorded assets, and requiring proper authorization for executing transactions; Lack of qualified personnel; Collusion among employees; The existence of high-value, small, liquid assets; and Management override of controls that are in place.

The Institute of Internal Auditors’ (IIA’s) position on deterrence, detection, investigation and reporting of fraud is: Financial Audit Deterrence of fraud is the responsibility of management. Internal auditors must have sufficient knowledge to be able to identify the indicators that fraud may have occurred. If control weaknesses are detected, additional tests should be performed to identify other factors of fraud that may be present. Audit procedures alone will not guarantee that fraud will be detected. A fraud that is detected needs to be reported.

The auditor should develop and plan the audit with a reasonable assurance of detecting material fraud or misstatements. However, due to the fact that the perpetrators of fraud will try to hide the fact, it is not possible to guarantee discovery of material frauds. Financial Audit Fraud is different from an error in that fraud is an intentional misstatement while an error is unintentional. The three main types of fraud are: 1. 2. 3. Fraudulent financial reporting Misappropriation of assets Corruption

Audit reports may be written or oral. Oral reports are more timely but do not replace written reports. Any oral reports should be followed with a written report confirming the oral report. All reports should include: Financial Audit The purpose, The scope of the engagement, The results of the engagement, including recommendations, if applicable. Reports might include summaries, background information, status of previous audit findings or other comments.

The purpose should include: The engagement objectives – should be described in enough detail so readers know what to expect from the rest of the report. Financial Audit Objectives should address the risks, controls and governance processes associated with the activities under review. The purpose may also include: Why the engagement was performed What the expected results were (i. e. , cost savings, increased efficiencies, etc. )

Description of the work done to achieve the engagement’s objectives. The scope should be sufficient to address the agreed -upon objectives. Activities reviewed and time period reviewed Financial Audit Any related activities not reviewed The nature and extent of the work performed Should include consideration of relevant systems, records, personnel, and physical properties, including those under the control of third parties The scope should specifically state what areas were not covered that readers might expect to be covered unless told differently.

Includes observations, conclusions, an opinion if appropriate, recommendations, and action plans from the engagement. • • Financial Audit Observations – audit findings made by comparing what is with what should be. An audit finding should include: Background, criteria, condition, cause, and effect. Background – Identify people involved, environment of the operation, reason why the situation is reportable, etc. Criteria – the standards used to judge the operation being audited. (The “what should be. ”) Condition – the facts determined through observation, questioning, analysis, verification and investigation. (The “what is. ”)

Audit findings (continued) Cause – Explains the reason why “what is” is different from “what should be. ” Effect – The consequences of the difference between “what is” and “what should be. ” To be reportable, an audit finding should have consequences – who or what was hurt, and how badly. Financial Audit • • Conclusions – the internal auditor’s evaluations such as whether a function is operating as intended, if control criteria are being met, if objectives are being met, etc. Recommendations – for improved performance, acknowledgement of satisfactory performance, any corrective actions needed.

One or two page “executive summary. ” To inform senior management of matters that need prompt or continued attention. To inform senior management about significant findings. Should include: Financial Audit Brief description of the audit, Conclusions, Summary statements of significant findings with references to where the detail can be found in the full audit report, and Brief description of actions taken by the client as a result of the audit findings. May be issued in addition to the full audit report.

The report should be: Internal Auditors – Reporting Objective, Clear, Concise (no longer than necessary), Timely, and Constructive. The report should be reviewed with the auditee before it is issued. The report should be distributed to everyone who has a direct interest in the area being audited.

The auditor should report: Internal Auditors – Reporting All material facts that they know that, if not reported, could cause the audit report to be distorted or conceal unlawful acts, Any variances between what should have been and what was, Any suspected fraud, The violation of any law, Inconsistent product quality (in a quality audit), and Any other reportable condition that management should be informed about.

Internal Auditors – Follow-up Unlike the external auditor, the internal auditor should follow-up on engagements after they are completed. The follow-up is to determine whether the recommendations have been implemented, whether they were timely, and whether they have been effective, and just how the department is doing.

Use of computers to audit information systems: Generalized audit software Test data Internal Auditors - IT Integrated test facility Parallel simulation Embedded audit routines Extended records Snapshots Tracing Mapping

Use of computers to audit information systems: Generalized audit software Internal Auditors - IT � Generalized Audit Software GAS consists of a series of computer program routines that can read computer files, select desired information, perform repetitive calculations, and print reports in an Auditor-specified format. Generalized Audit Software enables Auditors to have direct access to computerized records and to deal effectively with large quantities of data.